MicrosoftDocs
diff --git a/‎articles/sentinel/connect-threat-intelligence-tip.md
Lines changed: 0 additions & 2 deletions b/‎articles/sentinel/connect-threat-intelligence-tip.md
Lines changed: 0 additions & 2 deletions
diff --git a/‎articles/sentinel/media/use-matching-analytics-to-detect-threats/configure-matching-analytics-rule.png
37.3 KB b/‎articles/sentinel/media/use-matching-analytics-to-detect-threats/configure-matching-analytics-rule.png
37.3 KB
diff --git a/‎articles/sentinel/media/use-matching-analytics-to-detect-threats/data-sources.png
-32.1 KB b/‎articles/sentinel/media/use-matching-analytics-to-detect-threats/data-sources.png
-32.1 KB
diff --git a/‎articles/sentinel/media/use-matching-analytics-to-detect-threats/matching-analytics-logs.png
25.3 KB b/‎articles/sentinel/media/use-matching-analytics-to-detect-threats/matching-analytics-logs.png
25.3 KB
diff --git a/‎articles/sentinel/media/use-matching-analytics-to-detect-threats/matching-analytics-template-ga.png
-60.8 KB b/‎articles/sentinel/media/use-matching-analytics-to-detect-threats/matching-analytics-template-ga.png
-60.8 KB
diff --git a/‎articles/sentinel/media/use-matching-analytics-to-detect-threats/matching-analytics-threat-intelligence.png
61.2 KB b/‎articles/sentinel/media/use-matching-analytics-to-detect-threats/matching-analytics-threat-intelligence.png
61.2 KB
diff --git a/‎articles/sentinel/use-matching-analytics-to-detect-threats.md
Lines changed: 9 additions & 7 deletions b/‎articles/sentinel/use-matching-analytics-to-detect-threats.md
Lines changed: 9 additions & 7 deletions
@@ -147,8 +147,6 @@ The last step in the integration process is to enable the TIP data connector in
 
 1. Find and select the **Threat Intelligence Platforms - BEING DEPRECATED** data connector, and then select **Open connector page**.
 
-    :::image type="content" source="media/connect-threat-intelligence-tip/threat-intelligence-platforms-data-connector.png" alt-text="Screenshot that shows the Data connectors page with the Threat Intelligence Platforms data connector listed." lightbox="media/connect-threat-intelligence-tip/threat-intelligence-platforms-data-connector.png":::
-
 1. Because you already finished the app registration and configured your TIP or custom solution to send threat indicators, the only step left is to select **Connect**.
 
 Within a few minutes, threat indicators should begin flowing into this Microsoft Sentinel workspace. You can find the new indicators on the **Threat intelligence** pane, which you can access from the Microsoft Sentinel menu.
 
@@ -25,6 +25,7 @@ Take advantage of threat intelligence produced by Microsoft to generate high-fid
 You must install one or more of the supported data connectors to produce high-fidelity alerts and incidents. A premium Microsoft Defender Threat Intelligence license isn't required. Install the appropriate solutions from the **Content hub** to connect these data sources:
 
   - Common Event Format (CEF) via Legacy Agent
+  - Windows DNS via Legacy Agent (Preview)
   - Syslog via Legacy Agent
   - Microsoft 365 (formerly, Office 365)
   - Azure activity logs
@@ -41,7 +42,7 @@ You must install one or more of the supported data connectors to produce high-fi
   |[Windows Server DNS](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-dns?tab=Overview)  |[DNS connector for Microsoft Sentinel](data-connectors/dns.md) |
   |[Syslog solution for Sentinel](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-syslog?tab=Overview)  |[Syslog connector for Microsoft Sentinel](data-connectors/syslog.md)  |
   |[Microsoft 365 solution for Sentinel](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-office365?tab=Overview) | [Office 365 connector for Microsoft Sentinel](data-connectors/office-365.md)    |
-  |[Azure Activity solution for Sentinel](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-azureactivity?tab=Overview)    |  [Azure Activity connector for Microsoft Sentinel](data-connectors/azure-activity.md)       |
+  |[Azure Activity solution for Sentinel](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-azureactivity?tab=Overview)    |  [Azure Activity connector for Microsoft Sentinel](data-connectors/azure-activity.md)   |
 
 ## Configure the matching analytics rule
 
@@ -59,13 +60,14 @@ Matching analytics is configured when you enable the **Microsoft Defender Threat
 
 1. Select **Review** > **Create**.
 
-:::image type="content" source="media/use-matching-analytics-to-detect-threats/configure-matching-analytics-rule.png" alt-text="Screenshot that shows the Microsoft Defender Threat Intelligence Analytics rule enabled on the Active rules tab.":::
+:::image type="content" source="media/use-matching-analytics-to-detect-threats/configure-matching-analytics-rule.png" alt-text="Screenshot that shows the Microsoft Defender Threat Intelligence Analytics rule enabled on the Active rules tab." lightbox="media/use-matching-analytics-to-detect-threats/configure-matching-analytics-rule.png":::
 
 ## Data sources and indicators
 
 Microsoft Defender Threat Intelligence Analytics matches your logs with domain, IP, and URL indicators in the following ways:
 
 - **CEF logs** ingested into the Log Analytics `CommonSecurityLog` table match URL and domain indicators if populated in the `RequestURL` field, and IPv4 indicators in the `DestinationIP` field.
+- **Windows DNS logs**, where `SubType == "LookupQuery"` ingested into the `DnsEvents` table matches domain indicators populated in the `Name` field, and IPv4 indicators in the `IPAddresses` field.
 - **Syslog events**, where `Facility == "cron"` ingested into the `Syslog` table matches domain and IPv4 indicators directly from the `SyslogMessage` field.
 - **Office activity logs** ingested into the `OfficeActivity` table match IPv4 indicators directly from the `ClientIP` field.
 - **Azure activity logs** ingested into the `AzureActivity` table match IPv4 indicators directly from the `CallerIpAddress` field.
@@ -78,7 +80,7 @@ If Microsoft's analytics finds a match, any alerts generated are grouped into in
 
 Use the following steps to triage through the incidents generated by the **Microsoft Defender Threat Intelligence Analytics** rule:
 
-1. In the Microsoft Sentinel workspace where you enabled the **Microsoft Defender Threat Intelligence Analytics** rule, select **Incidents**, and search for **Microsoft Threat Intelligence Analytics**.
+1. In the Microsoft Sentinel workspace where you enabled the **Microsoft Defender Threat Intelligence Analytics** rule, select **Incidents**, and search for *Microsoft Defender Threat Intelligence Analytics*.
 
     Any incidents that are found appear in the grid.
 
@@ -92,23 +94,23 @@ Use the following steps to triage through the incidents generated by the **Micro
 
     Alerts are then grouped on a per-observable basis of the indicator. For example, all alerts generated in a 24-hour time period that match the `contoso.com` domain are grouped into a single incident with a severity assigned based on the highest alert severity.
 
-1. Observe the indicator information. When a match is found, the indicator is published to the Log Analytics `ThreatIntelligenceIndicators` table, and it appears on the **Threat Intelligence** page. For any indicators published from this rule, the source is defined as **Microsoft Threat Intelligence Analytics**.
+1. Observe the indicator information. When a match is found, the indicator is published to the Log Analytics `ThreatIntelligenceIndicators` table, and it appears on the **Threat Intelligence** page. For any indicators published from this rule, the source is defined as `Microsoft Threat Intelligence Analytics`.
 
 Here's an example of the `ThreatIntelligenceIndicators` table.
 
 :::image type="content" source="media/use-matching-analytics-to-detect-threats/matching-analytics-logs.png" alt-text="Screenshot that shows the ThreatIntelligenceIndicator table showing indicator with SourceSystem of Microsoft Threat Intelligence Analytics." lightbox="media/use-matching-analytics-to-detect-threats/matching-analytics-logs.png":::
 
-Here's an example of the **Threat Intelligence** page.
+Here's an example of searching for the indicators in the management interface.
 
 :::image type="content" source="media/use-matching-analytics-to-detect-threats/matching-analytics-threat-intelligence.png" alt-text="Screenshot that shows the Threat Intelligence overview with indicator selected showing the source as Microsoft Threat Intelligence Analytics." lightbox="media/use-matching-analytics-to-detect-threats/matching-analytics-threat-intelligence.png":::
 
 ## Get more context from Microsoft Defender Threat Intelligence
 
-Along with high-fidelity alerts and incidents, some Microsoft Defender Threat Intelligence indicators include a link to a reference article in the Microsoft Defender Threat Intelligence community portal.
+Along with high-fidelity alerts and incidents, some Microsoft Defender Threat Intelligence indicators include a link to a reference article in Intel Explorer.
 
 :::image type="content" source="media/use-matching-analytics-to-detect-threats/mdti-article-link.png" alt-text="Screenshot that shows an incident with a link to the Microsoft Defender Threat Intelligence reference article.":::
 
-For more information, see [What is Microsoft Defender Threat Intelligence?](/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti).
+For more information, see [Searching and pivoting with Intel Explorer](/defender/threat-intelligence/searching-and-pivoting).
 
 ## Related content